That’s the point; sops uses device-specific encryption, it would only be readable on devices that should be able to read it - or none, I suppose, if you really wanted to store a dev-only secret.
If you manage your secrets as data and not configuration this is quite a bit less problematic. I would really suggest looking into a flow using sops and a simple script you call anytime you want a new host, rather than using derivations for things that should never be derivations.